Adoption of the bill and European context.
Table of Contents
Transposing three European directives from December 2022 – REC, NIS2 and DORA – the bill relating to the resilience of critical infrastructures and the strengthening of cybersecurity was adopted by the Senate in March 2025, then in committee at the National Assembly in September of the same year. While the European Union had set October 2024 as the deadline for the transposition of these directives, the presidents of the two special committees on the bill, Olivier Cadic for the Senate and Philippe Latombe for the National Assembly, expressed together on February 5, 2026 their concern about the delays taken by the Government to include this text on the agenda of the public session at the National Assembly.
Major consequences of protecting the confidentiality of exchanges
Promulgated as it stands, this article 16 bis would constitute a major legislative decision in favor of protecting the confidentiality of electronic exchanges.
It would mainly lead to four types of consequences presented below.
The consequences on cybersecurity and technical architecture.
Opponents of this article are based on the premise that a vulnerability introduced for law enforcement is a vulnerability that can be exploited by criminals.
If this provision is maintained in the final version of the law, publishers of messaging services (such as Signal, WhatsApp) or cloud services could not be forced to develop mechanisms allowing the State to have access to end-to-end encrypted conversations.
In this regard, the article’s mention of “qualified trust service providers” prevents the State from forcing a certificate authority to create false certificates to intercept HTTPS traffic.
Developers could also design architectures where they themselves do not have access to user data (“Zero Knowledge” architecture), without fear that the law might force them to modify their code to access it.
The consequences on judicial investigations and intelligence.
This is the main sticking point. This article would complicate the task of investigative services which rely on the interception of communications.
Police and intelligence services would come up against tamper-proof “digital safes”. Even with a court warrant, the service provider would be legally entitled to respond that it does not have the technical capacity to decrypt the data sought.
Investigators should then focus on endpoints, by placing spyware on the device (telephone or computer), or limit themselves, as with documents issued by telephone operators, to being able to list a subscriber’s incoming and outgoing calls (detailed invoices or “fadettes”). In this second hypothesis, access would be limited to metadata only (who calls whom, when and for what duration), and would exclude the content of messages or calls.
The economic and industrial consequences.
On the digital market, this article could conversely provide a powerful commercial argument.
French companies or companies hosting their data in France could thus offer a superior guarantee of confidentiality, assuring their international clients that French law formally prohibits the introduction of security vulnerabilities, unlike other states (for example the United States with the CLOUD Act, or the National Intelligence Law of PR China).
Along the same lines, the Council of European Bars had also stressed that while European law imposes strict guarantees of necessity, proportionality and control for any invasion of private life, the CLOUD Act did not provide for notification or adequate remedies.
The geopolitical consequences.
Introduced in 2022 with the support of associations and several member states, including France, a proposal from the European Union planned to require messaging publishers, such as WhatsApp or Telegram, to scan the private conversations of their users, with the aim of fighting against child crime.
However, due to lack of a majority and in the face of opposition from several states, including Germany, which considered that such a measure infringed on privacy, the Danish presidency of the European Union abandoned this option on October 30, 2025. The revised text now proposes to limit itself to optional control for companies.
How to ensure internal security.
From law 2015-912 of July 24, 2015 relating to intelligence and codified in the Internal Security Code (CSI), article L871-1 [2] provides that:
« (…) Authorized agents may ask the aforementioned service providers to implement these agreements themselves within seventy-two hours, unless they demonstrate that they are unable to comply with these requirements. »
If these two texts do not necessarily cancel each other out, article 16 bis of the bill would, on the other hand, closely redefine the scope of the legal constraint defined in the Internal Security Code.
If this article were promulgated, legal practice would probably move towards a distinction between cooperation on the existing and prohibition of modifying the architecture.
The fundamental distinction: discount versus manufacture.
To understand how these texts would coexist, it is necessary to analyze the object of the obligation of each article.
Article L871-1 (Internal Security Code) imposes an obligation of means relating to the existing: it obliges suppliers to deliver the decryption information that they possess or to implement their existing capabilities to decrypt. This is an obligation of judicial cooperation.
Article 16 bis (draft law) prohibits structural weakening: this text would prohibit the State from requiring a supplier to modify its security architecture to create a vulnerability that does not exist by default.
Practical application scenarios.
If both articles were in force simultaneously, the situation would vary radically depending on the technical architecture of the service in question.
First hypothesis: service with centralized key management (classic Cloud, standard email):
- The provider holds the user’s encryption keys (encryption in transit or at rest, but not end-to-end). The provider has the key, and the authority can invoke the L871-1 CSI. Therefore, the provider is required to provide the decrypted data.
- In such a case, Article 16 bis of the bill is not contradicted, because there is no need to create a new device or weaken security, since the access capacity already exists.
- Likewise, without article 16 bis of the bill, the authority could theoretically require, under penalty of sanctions, that the provider implements a solution for future communications
Second hypothesis: end-to-end encrypted service (examples: Signal, WhatsApp, E2EE digital safes):
- The provider does not have the keys (only the user has them). Without article 16 bis of the bill, the authorities can attempt to use L871-1 to force the supplier to find a technical solution.
- But, on the basis of this new provision included in the bill, if a public authority invokes article L871-1 of the CSI, the supplier will be legally able to simply respond that it does not have this key.
- Thus this text would constitute a legal shield for the supplier, which would render ineffective any request based on L871-1 of the CSI which would involve a modification of the source code aimed at circumventing end-to-end encryption.
- The supplier cannot therefore be required to provide the data and cannot be penalized for doing so.
- Article 16 bis of the bill, if it does not delete article L871-1, considerably limits its scope, preventing the authorities from using the collaboration obligation of L871-1 of the CSI as a lever to force the introduction of back doors.
France risks sanction from the European Union.
Parliament will have to quickly arbitrate between individual freedom and collective security in order to vote on the text; at the risk of seeing the EU impose sanctions on us due to the delay in transposition.
But beyond European obligations, the parliamentarians who worked for three years on the text believe that this law has become essential to ensure our resilience in a current context of tension and risks weighing on critical infrastructure. France’s credibility is at stake…
